Researcher says Adobe actually made the vulnerability more conspicuous to hackers by issuing a fix outside the regular security update schedule

As expected, Adobe Tuesday released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software. Adobe ranked both bugs as critical.

Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise today by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe's ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.

The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack, said Andrew Storms, director of security operations at nCircle Network Security.

Between Thursday, when Adobe updated Flash Player, and today, when it patched the same flaw in Reader and Acrobat, the latter programs were theoretically vulnerable to attack if an ambitious hacker had pulled apart the Flash patch and managed to figure out where the vulnerability was within Reader. That didn't happen, Storms noted.

It was the second vulnerability, tagged as CVE-2010-0188, that drew his attention. "Adobe credited it to Microsoft," said Storms, "which in itself is interesting." The bug was reported by the Microsoft Vulnerability Research Program (MSVR), where Microsoft security researchers submit flaws they find in third-party software, such as browser plug-ins like Reader.

Microsoft may have found the vulnerability through its own security process, or it may have been reported by a Microsoft customer to the company, which then passed it along to Adobe. The latter declined to say which was the case, but did say it wasn't aware of any in-the-wild exploits of either vulnerability patched Tuesday.

What intrigued Storms the most was that today's update was outside the regular quarterly security release schedule Adobe's set its PDF software. "Now we know that there's a vulnerability in Reader and Acrobat, but because Adobe's gone out-of-band it's going to draw attention from researchers. The rush is on to disassemble the patch and reverse-engineer an exploit."

Storms argued that by updating Reader and Acrobat today -- about two months before the next slated update, April 13 -- and not explaining why it went out-of-band, Adobe's actually made the CVE-2010-0188 vulnerability more conspicuous to hackers.

"Like usual, the bulletin contains minimal information," said Storms, who has criticized Adobe's security procedures in the past. "We're not familiar with the internal decision-tree of what makes a patch out-of-band and what doesn't. That opaqueness draws more attention than if they were transparent," he said.

In reply to questions, Adobe said it evaluated each bug when it decided to either hold for the next regular update or ship it ASAP. "There are many factors that are being considered in each case, and each vulnerability is unique," said Brad Arkin, Adobe's director for product security and privacy, in an e-mail today. "Ultimately, the decision in each case comes down to what we can do to best mitigate threats to our customers."

Timing may have played a part, if Arkin's comments two months ago are still valid. At the time, he said that Adobe would be more likely to issue an out-of-band update early in the quarterly cycle. Adobe last patched Reader on Jan. 12 when it quashed eight bugs.

Adobe's patch-or-no-patch decision-making was questioned last December. At the time, Adobe said it would not patch a then-exploited Reader vulnerability for several weeks because to push out an emergency update would have disrupted its quarterly security schedule. Adobe took heat from some users and security experts for not immediately fixing a flaw that hackers were actively using.

Arkin did not address Computerworld's questions today about an apparent lack of consistency in how it distributes Reader and Acrobat updates, saying only that, "We were able to fix vulnerability CVE-2010-0188 at the same time, without delaying the fix for the Flash Player vulnerability."

Adobe Reader 9.3.1 and 8.2.1 can be downloaded using links in the security update's accompany bulletin.